When dealing with XFRM_MSG_MIGRATE message, xfrm_migrate func does not
check dir value of xfrm_userpolicy_id.
This will cause out of bound access to net->xfrm.policy_bydst in
policy_hash_direct func and others when dir value exceeds
XFRM_POLICY_MAX.

The whole value of struct xfrm_userpolicy_id can be controlled by
sending netlink message, and the out of bound addr can be expected;
this may lead to potential security issue.